Cloud Identity providers like Microsoft AzureAD and Google G Suite do not keep a users password clear/accessible they are hashed. A hash value is a result of a one-way mathematical function (the hashing algorithm). There is no method to revert the result of a one-way function to the plain text version of a password.

Hence it cant not be sync’d to another Identity provider, as each provider has its own hash. This leaves Apple with two options:

Provisioning only – users and groups are sync’d/provisioned from Microsoft AzureAD or Google G Suite but passwords are set within ASM and BSM.

Provisioning + SAML – users and groups are sync’d/provisioned from Microsoft AzureAD or Google G Suite. When a user logins in they are bounced to AzureAD or Google G Suite URL to enter a their password, when the correct password is entered they are bounced back to the Apple service to complete the login process.

While both are a great options and a step in the right direction, it does introduce two new problems;

Seperate passwords for your Managed AppleID and other cloud platform(s) or potential unusual design continuity in the login process.

Anyway I guess we will see more of this and hopefully other changes to ASM and BSM at WWDC 2018.